PowerShell and Firewall Rules.
PowerShell and Firewall Rules (With K2 Blackpearl Samples) is a great tool to assist with the maintenance of your firewall rules. Scripting will do the same thing over and over the same way providing the rules were setup correctly in the script.
But, that’s the point. Edit your scripts once and run many places knowing they have been vetted properly you should be safe. Or at least know that you’ve done best effort to identify appropriate firewall rules.
First things:
- Import-Module NetSecurity
- Run Get-Command *firewall*
When setting up new servers or just checking to see what firewall rules are in place, PowerShell is a great tool to help with that management.
Using New-NetFirewallRule statements could be used post SYSPREP on servers or VM’s.
There are quite a few parameters that can be specified with New-NetFirewallRule. I’ll show a few that I use in the rules I’ve listed.
A Quick Way To Add Rules
This definitely is the quick way to add rules. You could have your rules setup in an XML file that are pulled to server on occasion for audit comparisons and versioning when rules have
been added or changed.
New-NetFirewallRule Syntax
New-NetFirewallRule -DisplayName <String> [-Action <Action> ] [-AsJob] [-Authentication <Authentication> ] [-CimSession <CimSession[]> ] [-Description <String> ] [-Direction <Direction> ] [-DynamicTarget <DynamicTransport> ] [-EdgeTraversalPolicy <EdgeTraversal> ] [-Enabled <Enabled> ] [-Encryption <Encryption> ] [-GPOSession <String> ] [-Group <String> ] [-IcmpType <String[]> ] [-InterfaceAlias <WildcardPattern[]> ] [-InterfaceType <InterfaceType> ] [-LocalAddress <String[]> ] [-LocalOnlyMapping <Boolean> ] [-LocalPort <String[]> ] [-LocalUser <String> ] [-LooseSourceMapping <Boolean> ] [-Name <String> ] [-OverrideBlockRules <Boolean> ] [-Owner <String> ] [-Package <String> ] [-Platform <String[]> ] [-PolicyStore <String> ] [-Profile <Profile> ] [-Program <String> ] [-Protocol <String> ] [-RemoteAddress <String[]> ] [-RemoteMachine <String> ] [-RemotePort <String[]> ] [-RemoteUser <String> ] [-Service <String> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]
New-NetFirewallRule `
-DisplayName “LDAP: TCP” `
-Group “APP NAME” `
-Enabled True `
-Protocol tcp `
-RemotePort 389 `
-Direction Outbound
Each rule would be on a separate line without the continuation charecture `.
Using Groups In Rules
I like using –Group and as the name implies groups your rules how you want for faster viewing in the gui.
Here are some firewall settings that can be copied and used for setting up rules for using K2 BLACKPEARL in your environment. Copy what you need as it can save a lot of time for post server setup.
Copy And Modify For Your Use
The following list of rules can be modified and used everywhere you’d like to automate the setup of a machine. Take stock of your WEB SERVERS, SQLSERVERS and such as during OS and application installation rules should be created and added as part of the steps to harden your environment.
##
######### Outbound rules from the K2 Web Server
##
New-NetFirewallRule -DisplayName “K2 Workflow server” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 5252 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 Host server” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 5555 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 Discovery Service for server farm” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 49600 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 WCF and REST EndPoints” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 8888 -Direction Outbound
New-NetFirewallRule -DisplayName “WinRM 2.0 HTTP” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 5985 -Direction Outbound
New-NetFirewallRule -DisplayName “WinRM 2.0 HTTPs” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 5986 -Direction Outbound
New-NetFirewallRule -DisplayName “WinRM 2.0 HTTP” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 5985 -Direction Inbound
New-NetFirewallRule -DisplayName “WinRM 2.0 HTTPs” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 5986 -Direction Inbound
New-NetFirewallRule -DisplayName “LDAPS: TCP” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 636 -Direction Inbound
New-NetFirewallRule -DisplayName “LDAPS: UDP” -group “K2 Software Ports” -Enabled True -Protocol udp -LocalPort 636 -Direction Inbound
New-NetFirewallRule -DisplayName “LDAP: TCP” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 389 -Direction Inbound
New-NetFirewallRule -DisplayName “LDAP: UDP” -group “K2 Software Ports” -Enabled True -Protocol udp -LocalPort 389 -Direction Inbound
New-NetFirewallRule -DisplayName “LDAPS: TCP” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 636 -Direction Outbound
New-NetFirewallRule -DisplayName “LDAPS: UDP” -group “K2 Software Ports” -Enabled True -Protocol udp -RemotePort 636 -Direction Outbound
New-NetFirewallRule -DisplayName “LDAP: TCP” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 389 -Direction Outbound
New-NetFirewallRule -DisplayName “LDAP: UDP” -group “K2 Software Ports” -Enabled True -Protocol udp -RemotePort 389 -Direction Outbound
#KERBEROS
New-NetFirewallRule -DisplayName “K2 For Kerberos tcp” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 88 -RemotePort 88 -Direction outbound
New-NetFirewallRule -DisplayName “K2 For Kerberos udp” -group “K2 Software Ports” -Enabled True -Protocol udp -LocalPort 88 -RemotePort 88 -Direction outbound
New-NetFirewallRule -DisplayName “K2 For time udp” -group “K2 Software Ports” -Enabled True -Protocol udp -LocalPort 123 -RemotePort 123 -Direction outbound
New-NetFirewallRule -DisplayName “K2 For DNS” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 53 -RemotePort 53 -Direction outbound
K2 Blackpearl also interacts with SQLSERVER and EXCHANGE SERVERS.
##
### RPC endpoint mapper
##
New-NetFirewallRule -DisplayName “K2 MSDTC RPC Endpoint mapper tcp” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 135 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 MSDTC RPC Endpoint mapper udp” -group “K2 Software Ports” -Enabled True -Protocol udp -RemotePort 135 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 MSDTC RPC Random high ports” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 11024-65535 -Direction Outbound
##Done on SQLSERVER
netsh advfirewall firewall add rule name=”MSSQLSERVER” dir=in action=allow program=”D:\MSSQL11\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe” enable=yes
“D:\MSSQL11\MSSQL11.MSSQLSERVER\MSSQL\Binn\sqlservr.exe”
##
### Exchange and Email Rules
##
New-NetFirewallRule -DisplayName “K2 Email Events and Notifications” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 587 -Direction Outbound
##
### SQL ports
##
OUTBOUND
New-NetFirewallRule -DisplayName “K2 SQL Instance” -group “K2 Software Ports” -Enabled True -Protocol tcp -RemotePort 1433 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 SQL SSMS” -group “K2 Software Ports” -Enabled True -Protocol udp -RemotePort 1434 -Direction Outbound
New-NetFirewallRule -DisplayName “K2 SQL Instance” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 1433 -Direction Inbound
New-NetFirewallRule -DisplayName “K2 SQL SSMS” -group “K2 Software Ports” -Enabled True -Protocol udp -LocalPort 1434 -Direction Inbound
##
######### Inbound rules from the K2 Web Server
##
New-NetFirewallRule -DisplayName “K2 Workflow server” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 5252 -RemotePort any -Direction Inbound
New-NetFirewallRule -DisplayName “K2 Host server” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 5555 -RemotePort any -Direction Inbound
New-NetFirewallRule -DisplayName “K2 Discovery Service for server farm” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 49600 -RemotePort any -Direction Inbound
New-NetFirewallRule -DisplayName “K2 HTTPS” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 443 -RemotePort any -Direction Inbound
##
### SQL Endpoint clustering 5022
New-NetFirewallRule -DisplayName “AlwaysOn Endpoint” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 5022 -RemotePort any -Direction Inbound
New-NetFirewallRule -DisplayName “AlwaysOn Endpoint” -group “K2 Software Ports” -Enabled True -Protocol tcp -LocalPort 5022 -RemotePort any -Direction OutBound
K2 Blackpearl also uses DTC
Here you can turn enable the DTC ports by Group Name or individual New-NetFirewallRule
##
### USING NETSH to add items
##
# DTC
netsh advfirewall firewall add rule name=”MSDTC” dir=in action=allow program=”%windir%\system32\msdtc.exe” enable=yes
New-NetFirewallRule -DisplayName “K2 DTC (TCP-In)” -group “K2 Software Ports” -Enabled True -Protocol tcp -Program ‘%SystemRoot%\system32\msdtc.exe’ -LocalPort any -RemotePort any -Direction Inbound
###
#### Enable DTC rules on servers
###
Import-Module NetSecurity
Enable-NetFirewallRule -DisplayName “Distributed Transaction Coordinator (TCP-In)”
Enable-NetFirewallRule -DisplayName “Distributed Transaction Coordinator (RPC-EPMAP)”
Enable-NetFirewallRule -DisplayName “Distributed Transaction Coordinator (RPC)”
Enable-NetFirewallRule -DisplayName “Distributed Transaction Coordinator (TCP-Out)”
# Or by Group
Enable-NetFirewallRule –Group “Distributed Transaction Coordinator”
Once in a script the firewall rules are quick to maintain and can be used to help document your application for trouble shooting should the need arise.
Part 2 if I do one 🙂 will cover a few of the other parameters with New-NetFirewallRules.
Thoughts & Ideas, Joseph Kravis 🙂
This article was collaborated on by using chatGPT and images I’ve created with MIDJOURNEY. A fun orchestration by me. 🙂 All images available in higher resolution.
Categories: #kravis, #PowerShell, K2 Software, PowerShell Posts, Technology
Leave a Reply